Steam Inventory Helper Chrome extension v1.13.6 suffered from a DOM-based XSS in bookmarks.html combined with clickjacking via over-permissive web_accessible_resources, allowing arbitrary JavaScript execution in the extension's privileged context and hijacking of all authenticated websites. The vulnerability exploits jQuery's unsafe DOM manipulation APIs (html/append) paired with unsafe-eval CSP directive, weaponized through UI redressing to trick users into pasting XSS payloads.
A DOM-based XSS vulnerability was discovered in Branch.io's attribution platform affecting 685+ million users across Tinder, Shopify, Yelp, and other major companies. The flaw exploited unvalidated GET parameters (redirect_strategy and scheme_redirect) to inject malicious payloads, with validation bypasses via indexOf() string matching and javascript:// protocol obfuscation.
A DOM XSS vulnerability in Adobe's PDF ActiveX plugin (res://apds.dll/redirect.html) can be exploited via IE by using the xfa.host.gotoURL() function to bypass same-origin policy restrictions and execute arbitrary JavaScript without security warnings. The vulnerability chains a parameter injection flaw with Adobe's insecure URL redirect handling to achieve cross-domain XSS.
Researcher found a stored XSS vulnerability in Google AdWords conversion tracking page by injecting an SVG payload into the conversation name field, which persisted across browser sessions and executed in all major browsers. The vulnerability was rewarded $3,133.70 by Google's VRP.
Researcher discovered a stored XSS vulnerability in Uber's invitation link feature by injecting a payload into the 'v' parameter, then bypassed the strict Content Security Policy by leveraging the whitelisted *.uber.com domain to load a malicious Marketo callback endpoint, resulting in a $2,000 bounty.
Reflected DOM XSS vulnerability in silvergoldbull.com/bt.html exploitable via base64-encoded URL parameters, combined with clickjacking via iframe injection to steal user credentials through a fake login page. The vulnerability leverages obfuscated JavaScript that decodes and executes user-supplied parameters without proper sanitization.
Researchers discovered and exploited a DOM XSS vulnerability in Tesla's forums (forums.tesla.com) via CKEditor's InsertHtml function, bypassing HTML filters with a crafted img tag payload to load arbitrary JavaScript and embed a DOOM game in the page. The vulnerability was a self-XSS with limited impact but demonstrated creative filter evasion techniques.
DOM-based XSS vulnerability in Google Crisis Map discovered by bypassing client-side URL validation via request interception, then chained with missing X-Frame-Options header to enable clickjacking attacks on published maps. The vulnerability required users to click through an overlaid iframe to trigger JavaScript execution.
A DOM XSS vulnerability in a private program where unsanitized location.pathname is used to construct AJAX requests, allowing attackers to redirect requests to attacker-controlled domains and inject malicious scripts via protocol-relative URLs (//attacker.com).
A DOM-based XSS vulnerability was discovered in Google's /ajax/pi/fbfr endpoint where the location hash was directly used as a form action without validation, allowing javascript: protocol execution. The vulnerability was fixed by adding a check to ensure the hash begins with 'http' before using it as the form action.